Forem: Shreyansi Shrestha

Building a Secure Password Reset System with Node.js and MySQL

Shreyansi Shrestha — Wed, 12 Mar 2025 01:52:38 +0000

In this guide, we'll walk through implementing a password reset feature using Node.js, Express, MySQL, and bcrypt. This will ensure users can securely reset their passwords through an email token-based system.

1. Setting Up the Node.js Project

Start by installing the required dependencies:

npm install express mysql bcrypt ejs body-parser

express – Framework for handling HTTP requests
mysql – To interact with MySQL database
bcrypt – For hashing passwords securely
ejs – To render views
body-parser – To parse form data

Next, create an index.js file and set up the server:

const express = require('express');
const mysql = require('mysql');
const bcrypt = require('bcrypt');
const bodyParser = require('body-parser');

const app = express();
app.use(bodyParser.urlencoded({ extended: true }));

const db = mysql.createConnection({
    host: 'localhost',
    user: 'root',
    password: '',
    database: 'mydb'
});

db.connect(err => {
    if (err) throw err;
    console.log('Connected to MySQL');
});

2. Validating the Reset Token

When a user clicks the "Forgot Password" link, they receive a token via email. The API must verify that token before allowing a password reset.

const resetPasswordLoad = (req, res) => {
    const token = req.query.token;
    if (!token) return res.render('404');

    db.query('SELECT * FROM password_resets WHERE token=? LIMIT 1', [token], (err, result) => {
        if (err || result.length === 0) return res.render('404');

        db.query('SELECT * FROM users WHERE email=? LIMIT 1', [result[0].email], (err, user) => {
            if (err) return res.render('404');
            res.render('reset-password', { user: user[0] });
        });
    });
};

Retrieves the token from the URL
Checks if it exists in the password_resets table
If valid, fetches the corresponding user and renders the password reset form

3. Creating the Reset Password Form

Create views/reset-password.ejs:

<form action="/reset-password" method="POST">
    <input type="hidden" name="email" value="<%= user.email %>" />
    <label>New Password:</label>
    <input type="password" name="password" required />
    <button type="submit">Reset Password</button>
</form>

4. Updating the Password in MySQL

Handle the password update in index.js:

app.post('/reset-password', (req, res) => {
    const { email, password } = req.body;

    if (!password) {
        return res.render('message', { message: 'Password cannot be empty!' });
    }

    const hashedPassword = bcrypt.hashSync(password, 10);

    db.query('UPDATE users SET password=? WHERE email=?', [hashedPassword, email], (err) => {
        if (err) return res.render('message', { message: 'Error updating password.' });

        db.query('DELETE FROM password_resets WHERE email=?', [email], () => {
            res.render('message', { message: 'Password reset successful! You can now log in.' });
        });
    });
});

Hashes the new password before updating it
Deletes the password reset token after a successful reset

5. Displaying Success/Error Messages

Create views/message.ejs:

<% if (message) { %>
    <h2><%= message %></h2>
<% } %>

6. Running the Server

Start the Node.js server:

node index.js

Now, the password reset system is functional!

While working on the password reset system in Node.js and MySQL, I wanted to ensure both security and efficiency. Using verification tokens added a layer of authentication, while hashed passwords protected user data. Additionally, implementing proper validation helped prevent errors and improve reliability. This approach made the system more robust and user-friendly.

{ Understanding PROPS in React.js }

Shreyansi Shrestha — Fri, 03 Jan 2025 11:53:01 +0000

PROPS meaning properties in React.js, and these properties/property can be passed from one component to another component ( for example : a property passed from parent component to the child component).

These properties are read-only.
Through these, parent component can send data to child component.

As we can we in the above picture, App.jsx is the parent component and Student.jsx is the child component. The key-value pair (name="Spongebob") from parent component is being passed to child component 'Student', and then that key value pair gets stored in PROPS object.

Now, to have the value of name from PROPS object, we use props.name and that is what we can see is done in the child component Student. So, this way we can retrieve value in child component from parent component ( via PROPS object).

In App.jsx :

In Student.jsx :

In localhost :

So, this is a topic in React.js that took me quite some time to understand and grasp the concept, but at the end, the satistaction of finally understanding it made all that effort worth it.

{ my learnings through Error message “error:0308010C:digital envelope routines::unsupported” }

Shreyansi Shrestha — Thu, 19 Dec 2024 04:15:15 +0000

While I was working on my full-stack application, I came across this cryptographic error and when I searched for it on StackOverflow and ChatGPT, I got to know it arised due to changes in Node.js's handling of OpenSSL, affecting cryptographic operations,i.e., my application was attempting to use cryptographic algorithms or features that are no longer supported in the current OpenSSL version bundled with Node.js. So, the error actually came from the dependency I downloaded relying on an obsolete version of SSL.

Thereupon, to fix this error :

Initially, I tried deleting my node_modules folder (from the frontend
workspace/folder) and re-running npm install in order to reinstall
the dependencies. However, this did not solve the issue.
Then, I now understood that I should be switching the deprecated
algorithm to legacy mode in order to solve the compatibility issues.
And, while surfing regarding the deprecated algorithms, it got me
reminded of the SHA-1 in PGP (Pretty Good Privacy) I learnt in the
prior semester in college, in Computer Networks. SHA-1 is a hashing
algorithm which has become a deprecated algorithm because of the
security issues.

And continuing with the topic, since my app was a non-critical application which required some backward compatibility too, I decided to continue with using the --openssl-legacy-provider flag for a temporary workaround, as this would help me learn more about the possible errors that might occur, know more about root causes and how to solve it, along with other various terms that I might possibly encounter during the process.

The --openssl-legacy-provider enables the use of legacy algorithms by instructing Node.js to utilize OpenSSL's legacy provider, thereby restoring support for such cryptographic functions.

So, in the terminal, i started with :

npm update
npm audit fix — force

Then, on the package.json file, I made the following changes :

BEFORE :

"scripts": {
    "start": "react-scripts start",
    "build": "react-scripts build",
    "test": "react-scripts test",
    "eject": "react-scripts eject"
}

AFTER :

"scripts": {
    "start": "react-scripts --openssl-legacy-provider start",
    "build": "react-scripts --openssl-legacy-provider build",
    "test": "react-scripts test",
    "eject": "react-scripts eject"
}

Now, this finally solved the issue and I loved how I progressed learning about different things just by trying to resolve this issue myself, learnings about how npm functions in detail, how versions are managed, about the deprecated and legacy algorithms, etc.